swup
Replies: 1 comment
-
|
Thanks for the heads up! There already is an open dependabot PR for bumping path-to-regexp, we only need to find the time to make it compatible. The described attack scenario isn't that relevant for swup, though, as it's primarily affecting backends written in js (node, bun, ...) and swup only runs in the browser. Anyways, a good opportunity to update the library, anyways! |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi there
I am uncertain if this is the appropriate section for this discussion, but I would like to provide the following information
A vulnerability has been identified in the npm package "path-to-regexp," which allows for output backtracking in regular expressions. The affected versions are those between >= 0.2.0 and < 8.0.0
Issue
Swup version 4 currently utilizes "path-to-regexp" version "^6.2.1", which falls within the affected range and is therefore susceptible to this vulnerability. Check current package.json
Solution
To resolve this, the package in Swup should be updated to version 8.0.0 or later.
Sources:
Beta Was this translation helpful? Give feedback.
All reactions